Re: [CSP3] reflected XSS directive from Jim Manico on 2022-08-29 (public-webappsec@w3.org from August 2022)

From: Jim Manico <jim.manico@owasp.org>
Date: Mon, 29 Aug 2022 08:26:26 -0700
To: Daniel Veditz <dveditz@mozilla.com>, Harel Klopfer <Harel.Klopfer@hot.net.il>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <fdc88242-6fce-8a3e-365a-c54719e37846@owasp.org>

I sent a copy of this to the OWASP projects leaders to fix.

- Jim

On 8/29/22 7:34 AM, Daniel Veditz wrote:
> On Mon, Aug 29, 2022 at 6:57 AM Harel Klopfer 
> <Harel.Klopfer@hot.net.il> wrote:
>
>     I saw at the OWASP the reflected XSS directive for the CSP header
>     (site:
>     https://owasp.org/www-project-secure-headers/#content-security-policy),
>
>
>     but I couldn’t find this directive at your site.
>
>
> The OWASP documentation appears to contain old information from a 
> draft version of the spec. There is no "reflected-xss" directive in 
> CSP. A strict policy already combats reflected and stored XSS and some 
> DOM XSS without a special directive for it. If you wish to use CSP I'd 
> check out more in-depth information about it, but a couple of top-line 
> items
> * if you use 'unsafe-inline' you are not preventing XSS at all
> * if you use 'unsafe-eval' that might allow XSS depending on your 
> site's code
> * using 'strict-dynamic' with nonces or hashes is more secure than a 
> whitelist of domains. Most domains have an abusable script on them 
> somewhere, so the whitelist approach can often be bypassed to achieve 
> XSS in practice.
>
> -Dan Veditz
>

Received on Monday, 29 August 2022 15:26:42 UTC